From e4ea8b0bef22eb8535d80c629a1170865bd9736f Mon Sep 17 00:00:00 2001
From: Sebastien Boeuf <sebastien.boeuf@intel.com>
Date: Fri, 27 Mar 2020 09:16:34 +0100
Subject: [PATCH] vmm: Add missing syscalls to the seccomp filters

Both clock_gettime and gettimeofday syscalls where missing when running
Cloud-Hypervisor on a Linux host without vDSO enabled. On a system with
vDSO enabled, the syscalls performed by vDSO were not filtered, that's
why we didn't have to whitelist them.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
---
 vmm/src/seccomp_filters.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index bd815dd5e..6be0ddbdb 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -175,6 +175,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
             allow_syscall(libc::SYS_arch_prctl),
             allow_syscall(libc::SYS_bind),
             allow_syscall(libc::SYS_brk),
+            allow_syscall(libc::SYS_clock_gettime),
             allow_syscall(libc::SYS_clone),
             allow_syscall(libc::SYS_close),
             allow_syscall(libc::SYS_connect),
@@ -195,6 +196,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
             allow_syscall(libc::SYS_futex),
             allow_syscall(libc::SYS_getpid),
             allow_syscall(libc::SYS_getrandom),
+            allow_syscall(libc::SYS_gettimeofday),
             allow_syscall(libc::SYS_getuid),
             allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
             allow_syscall(libc::SYS_listen),